https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

Image shows server room 3d illustration with programming data design element.,concept of big data storage and cloud computing technology

New IoT Security Issue Can Breach Network Segments

Armis research finds vulnerabilities in Bluetooth Low Energy chips are making for a major IoT security risk.
  • Written by Courtney Bjorlin
  • 2nd November 2018

Vulnerabilities in chips made by Texas Instruments open enterprises to attacks that are capable of breaching even network segmentation, a major security strategy used to guard against the risks of IoT devices, according to research from Armis.

The Bluetooth Low Energy (BLE) chips are used in many products, according to Armis. The highest risk for the enterprise comes from the chips in the Wireless Access Points (WAP) made by Cisco, Meraki and Aruba. The vulnerabilities allow an unauthenticated attacker to broadcast a BLE beacon, take over the access points, spread malware and move laterally across network segments, according to Armis. The vulnerabilities can’t be detected or stopped by traditional network and endpoint security solutions, according to researchers.

As far as researchers know, such an attack has not happened outside the research done in the labs of the IoT security startup. But its risk signals two things to enterprises: that they need to view access points as unprotected and unmanaged devices, and that network segmentation, a primary security strategy, is at risk in the IoT age, according to Armis.

“There’s this virtual entity called the network. But it’s implemented by devices like any other IoT device,” said Ben Seri, vice president of research at Armis, an IoT security startup based in both Israel and Palo Alto. “There are no traditional security mechanisms that look at these attacks. This is something that is new in the marketplace. It can rise really fast.”

The good news is security updates for the so-called “BLEEDINGBIT” bug have already been provided by Texas Instruments. Cisco, Meraki and Aruba were expected to announce patches Thursday, and Armis researchers are confident the patches will address the vulnerabilities.

The bug gets its namesake because it is a lack of a masking of the highest (and most significant) bit in BLE packet’s length field, according to Armis. Turning this bit on will cause a memory corruption that can lead to RCE (remote code execution). This one bit will cause the entire chip to bleed, according to Armis.

The vulnerabilities are borne of two issues. First, a hacker can broadcast malicious BLE packets, and any vulnerable access point within range would be compromised. The hacker can use the BLE chip to compromise the main operating system and gain full control over it, according to Armis. This vulnerability impacts TI cc2640/50, embedded in Cisco and Meraki Wi-Fi access points.

A second issue comes from a feature left on in the BLE chip that was not supposed to be shipped in production. Using this over-the-air download (OAD) feature, the hacker can install a new and different version of firmware, effectively rewriting the operating system of the device, according to researchers. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks, according to Armis. This issue affects Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540).

Most organizations that use these wireless access points don’t use the features enabled by the BLE chips, according to researchers. For that reason, in addition to applying the patches, researchers recommend turning off the BLE chip if the organization doesn’t need it.

In all, the vulnerabilities show the implications of chip firmware and unmanaged devices in enterprises.

“Every device should have a zero trust approach right now,” said Michael Parker, vice president of marketing for Armis.

Tags: Security News

Related


  • Image shows IoT (Internet of Things) concept.
    IoT Product Roundup: Amazon, Synaptics, Urban Control and More
    The latest new Internet of Things products
  • Image shows an illuminated laptop computer in the dark
    ScaleUp AI 2022: Hackers Using AI to Penetrate Defenses
    SentinelOne unearths Russian-linked Wiper Attacks targeting satellite internet modems
  • Google Cloud Buys the ‘Navy Seals of Cybersecurity’
    Acquisition of Mandiant boosts competitiveness vs. Azure, AWS
  • Image shows a digital security concept
    IoT Devices Most Vulnerable to Internal Security Threats
    Insider cybersecurity threats are on the rise and Iot devices are at the greatest risk

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Company Sets New Standards for IoT Device Security
  • DigiCert Acquires Mocana to Expand IoT Cybersecurity Presence
  • Thrive Managed Services Acquires InCare Technologies, Plans US Expansion
  • IoT Security Firm to Acquire Medical Security Startup

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Clearview AI has been fined $9.4 million for collecting images of people from social media platforms to add to its… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Swiss-startup Airyacht is developing an eponymously named vehicle that it says will take the luxury-yacht experienc… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

@Tesla’s #Autopilot being investigated once again following fatal crash in Newport Beach, California. iotworldtoday.com/2022/05/23/tes…

23rd May 2022
IoTWorldToday, IoTWorldSeries

A new Kansas law will enable #driverless deliveries from @Walmart and its partner @Gatik_AI. #AVs… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022
IoTWorldToday, IoTWorldSeries

IoT Product Roundup: PTC, Nokia, Arm and More dlvr.it/SQhNNF https://t.co/ZApdw3RHdu

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X